tavily

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes examples that embed an API key literal (e.g., api_key="tvly-YOUR_API_KEY" and curl -H "Authorization: Bearer tvly-YOUR_API_KEY"), which encourages inserting secrets verbatim into code/commands and could cause an LLM to output user-provided secrets directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly performs web search, extraction, crawling, and autonomous research against open/public URLs (see SKILL.md and references/api.md: Search, Extract, Crawl, and Research endpoints), so it ingests untrusted third‑party web content that the agent reads and can influence tool use and subsequent actions (e.g., crawl "instructions" and Research WebSearch tool calls).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The integrations documentation shows runtime use of the remote MCP endpoint (https://mcp.tavily.com/mcp/?tavilyApiKey=) together with npx invocations (e.g., npx -y @tavily/mcp or npx -y mcp-remote https://mcp.tavily.com/mcp/?...) which download and execute remote npm packages at startup and wire a remote MCP server into the agent toolchain — satisfying runtime use, execution of fetched remote code, and reliance on that external service to operate the integration.